freetype: buffer overflow [CVE-2006-3467]

Debian Bug report logs - #379920
freetype: buffer overflow [CVE-2006-3467]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@ubuntu.com>

To: Debian BTS Submit <submit@bugs.debian.org>

Subject: freetype: buffer overflow [CVE-2006-3467]

Date: Wed, 26 Jul 2006 13:11:26 +0200

[Message part 1 (text/plain, inline)]

Package: freetype
Version: 2.2.1-2
Tags: security patch
Severity: important

Hi!

The current freetype does not properly check string lengths when
reading PCF font files. Some references are at

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467

Ubuntu patch:

  http://patches.ubuntu.com/patches/freetype.CVE-2006-3467.patch

I attach a demo.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[bad1.pcf (application/x-font, attachment)]

[ftcrash.c (text/x-csrc, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 379920@bugs.debian.org (full text, mbox, reply):

From: Drew Parsons <dparsons@debian.org>

To: 379920@bugs.debian.org

Subject: re: buffer overflow [CVE-2006-3467]

Date: Sun, 20 Aug 2006 20:00:23 +1000

libxfont is also affected by this bug, see Debian bug #383353 or X.org
bug  #7535 at https://bugs.freedesktop.org/show_bug.cgi?id=7535

 The libxfont patch has been applied in 1:1.2.0-2, but the test outlined
in #7535 has xfontsel continuing to crash with 

X Error of failed request:  BadAlloc (insufficient resources for
operation)
  Major opcode of failed request:  45 (X_OpenFont)
  Serial number of failed request:  1392
  Current serial number in output stream:  1393

I am assuming at this point that this crash is continuing to occur
because freetype is not yet patched (if it still happens after freetype
is fixed then we'll need to look more deeply!)

Drew

Message #17 received at 379920-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 379920-close@bugs.debian.org

Subject: Bug#379920: fixed in freetype 2.2.1-5

Date: Tue, 12 Sep 2006 15:47:24 -0700

Source: freetype
Source-Version: 2.2.1-5

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:

freetype2-demos_2.2.1-5_i386.deb
  to pool/main/f/freetype/freetype2-demos_2.2.1-5_i386.deb
freetype_2.2.1-5.diff.gz
  to pool/main/f/freetype/freetype_2.2.1-5.diff.gz
freetype_2.2.1-5.dsc
  to pool/main/f/freetype/freetype_2.2.1-5.dsc
libfreetype6-dev_2.2.1-5_i386.deb
  to pool/main/f/freetype/libfreetype6-dev_2.2.1-5_i386.deb
libfreetype6-udeb_2.2.1-5_i386.udeb
  to pool/main/f/freetype/libfreetype6-udeb_2.2.1-5_i386.udeb
libfreetype6_2.2.1-5_i386.deb
  to pool/main/f/freetype/libfreetype6_2.2.1-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 379920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 12 Sep 2006 15:04:42 -0700
Source: freetype
Binary: freetype2-demos libfreetype6-udeb libfreetype6 libfreetype6-dev
Architecture: source i386
Version: 2.2.1-5
Distribution: unstable
Urgency: high
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 379920
Changes: 
 freetype (2.2.1-5) unstable; urgency=high
 .
   * High-urgency upload for RC bugfix.
   * Add debian/patches-freetype/CVE-2006-3467_pcf-strlen.patch to
     address CVE-2006-3467, a missing string length check in PCF files that
     leads to a possibly exploitable integer overflow.  Thanks to Martin
     Pitt for the patch.  Closes: #379920.
Files: 
 322f1af9b833d3878f13855e240d9ca0 786 libs optional freetype_2.2.1-5.dsc
 090f3c5ef6ed502b29980c9f322636ed 31209 libs optional freetype_2.2.1-5.diff.gz
 64ce3b4dc2fde17c85aacbf5ed6a903a 341722 libs optional libfreetype6_2.2.1-5_i386.deb
 b14728d6d4b6bd18c8299f6f9e8e2264 641552 libdevel optional libfreetype6-dev_2.2.1-5_i386.deb
 b89dd9204b3e5a8ea1caedafaf9cb9b2 135230 utils optional freetype2-demos_2.2.1-5_i386.deb
 2a10a988f5fcc086955bb2a4903687c1 235934 debian-installer extra libfreetype6-udeb_2.2.1-5_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFBzfnKN6ufymYLloRAteIAJ9mm0MploxX2CqoTDZZA3mDdMfuEACfe8qG
m1a/TiQcYasTEWqUa3mvnM4=
=M2WW
-----END PGP SIGNATURE-----

Message #22 received at 379920@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Debian Security Team <team@security.debian.org>, 379920@bugs.debian.org

Subject: Re: freetype: buffer overflow [CVE-2006-3467]

Date: Tue, 12 Sep 2006 23:51:03 -0700

[Message part 1 (text/plain, inline)]

Hi guys,

Looks like it's time for another try at freetype.  CVE-2006-3467 appears to
be a potentially exploitable integer overflow in freetype's PCF parser. 
I've uploaded freetype_2.1.7-6 to
<http://people.debian.org/~vorlon/freetype-DSA/>, replacing the previous
version there; signed sources, unsigned changes.  Please do whatever's
necessary with the package to make it suitable for a DSA release -- I won't
be uploading it at all to the security.d.o dak queue, given the poor outcome
of my other recent attempts.

debdiff vs. 2.1.7-5 in stable (r3) is also attached to this mail, in case
that's more convenient.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[freetype-379920.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 379920@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Steve Langasek <vorlon@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 379920@bugs.debian.org

Subject: Re: freetype: buffer overflow [CVE-2006-3467]

Date: Wed, 13 Sep 2006 21:33:46 +0200

Steve Langasek wrote:
> Looks like it's time for another try at freetype.  CVE-2006-3467 appears to
> be a potentially exploitable integer overflow in freetype's PCF parser. 
> I've uploaded freetype_2.1.7-6 to
> <http://people.debian.org/~vorlon/freetype-DSA/>, replacing the previous
> version there; signed sources, unsigned changes.

Thanks, this was already on my list. I've lost track of the status of the
regression that did bite several users. Do I need to dig out the patch or
was it fixed in r2?

Cheers,
        Moritz

Message #32 received at 379920@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Debian Security Team <team@security.debian.org>, 379920@bugs.debian.org

Subject: Re: freetype: buffer overflow [CVE-2006-3467]

Date: Wed, 13 Sep 2006 14:08:33 -0700

On Wed, Sep 13, 2006 at 09:33:46PM +0200, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> > Looks like it's time for another try at freetype.  CVE-2006-3467 appears to
> > be a potentially exploitable integer overflow in freetype's PCF parser. 
> > I've uploaded freetype_2.1.7-6 to
> > <http://people.debian.org/~vorlon/freetype-DSA/>, replacing the previous
> > version there; signed sources, unsigned changes.

> Thanks, this was already on my list. I've lost track of the status of the
> regression that did bite several users. Do I need to dig out the patch or
> was it fixed in r2?

That fix is included in 2.1.7-5, which is part of sarge r3, so -6 should be
a clean patch against that version for just this security fix.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #37 received at 379920-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 379920-close@bugs.debian.org

Subject: Bug#379920: fixed in freetype 2.1.7-6

Date: Sat, 28 Oct 2006 08:25:29 -0700

Source: freetype
Source-Version: 2.1.7-6

We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive:

freetype2-demos_2.1.7-6_i386.deb
  to pool/main/f/freetype/freetype2-demos_2.1.7-6_i386.deb
freetype_2.1.7-6.diff.gz
  to pool/main/f/freetype/freetype_2.1.7-6.diff.gz
freetype_2.1.7-6.dsc
  to pool/main/f/freetype/freetype_2.1.7-6.dsc
libfreetype6-dev_2.1.7-6_i386.deb
  to pool/main/f/freetype/libfreetype6-dev_2.1.7-6_i386.deb
libfreetype6-udeb_2.1.7-6_i386.udeb
  to pool/main/f/freetype/libfreetype6-udeb_2.1.7-6_i386.udeb
libfreetype6_2.1.7-6_i386.deb
  to pool/main/f/freetype/libfreetype6_2.1.7-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 379920@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 12 Sep 2006 23:27:20 -0700
Source: freetype
Binary: freetype2-demos libfreetype6-udeb libfreetype6 libfreetype6-dev
Architecture: source i386
Version: 2.1.7-6
Distribution: stable-security
Urgency: high
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 freetype2-demos - FreeType 2 demonstration programs
 libfreetype6 - FreeType 2 font engine, shared library files
 libfreetype6-dev - FreeType 2 font engine, development files
 libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb)
Closes: 379920
Changes: 
 freetype (2.1.7-6) stable-security; urgency=high
 .
   * Add debian/patches-freetype/CVE-2006-3467_pcf-strlen.patch for
     CVE-2006-3467, a missing string length check in PCF files that
     leads to a possibly exploitable integer overflow.  Thanks to Martin
     Pitt for the patch.  Closes: #379920.
Files: 
 76dbe18b57a53fac328a1f8e00f54bd0 754 libs optional freetype_2.1.7-6.dsc
 860e9383bba7d853ce6f758c239e89ed 57568 libs optional freetype_2.1.7-6.diff.gz
 555ba61fec5d41a3759f08bc330b9dff 364858 libs optional libfreetype6_2.1.7-6_i386.deb
 81249aa29df653e228162b59f55da8a3 695074 libdevel optional libfreetype6-dev_2.1.7-6_i386.deb
 5c65822f534a53c3f88c72cc32253f37 63190 utils optional freetype2-demos_2.1.7-6_i386.deb
 9fcb69d11d6acfd645ad302f6cbea3f6 212956 debian-installer extra libfreetype6-udeb_2.1.7-6_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFCZXEXm3vHE4uyloRArFnAJ9N6fWianw5j80WjSMLQJrYzs2kXgCfYbJV
YPGvFhW328MXLLkPvXZIfjc=
=Si6D
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.